Wednesday, June 07, 2006

Security Prompt Gone from Outlook 2007 Object Model (Almost)

What's New for Developers in Microsoft Office Outlook 2007 (Part 1 of 2)

"...
Security
Outlook 2007 introduces an important change in the way that the Outlook object model guard operates. While the behavior of the object model guard has not changed significantly for Outlook add-ins, Outlook 2007 allows external applications to run without object model guard prompts-provided that the computer on which your code is running has functional antivirus software installed and that all antivirus definitions are current.

This change represents a major departure from the way the object model guard worked in previous versions for external out-of-process COM callers. Before Outlook 2007, external COM callers were always untrusted from the perspective of the object model guard. This means that external applications had to resort to extended MAPI or third-party libraries in order to prevent the display of Outlook 2007 object model guard warnings, such as the one shown in Figure 3.


Outlook Address Book warning

Figure 3. Outlook Address Book warning

The object model guard was originally introduced for Microsoft Outlook 98 and Microsoft Outlook 2000. Since the introduction of the object model guard, the frequency of the Address Book warning often frustrated developers for legitimate external COM applications and their users. Also, if you needed to use CDO for MAPI property access or improved performance, you faced a different security model that did not integrate with the Outlook add-in trust model. For most applications, Outlook 2007 has removed the need for CDO. Outlook 2007 offers improved security that aims at removing development road blocks for all legitimate Outlook developers. The following sections describe the operation of the Outlook object model guard in Outlook 2007.

....


Out-of-Process Callers and the Outlook Object Model Guard
For out-of-process callers, the behavior has changed significantly from Outlook 2003. If antivirus software has been installed and is up-to-date on the client computer, Outlook will not display object model guard warning dialogs when you call protected members such as MailItem.Send or MailItem.Recipients.

All out-of-process COM callers and add-ins will run without security prompts under the following conditions:

  • The client computer is running Microsoft Windows XP SP2 or Microsoft Windows Vista and the Windows Security Center indicates that the antivirus software is in a "Good" health status. If the computer is joined to a domain, this health status indicator may not be visible, but will still be maintained.
  • The installed antivirus software is designed for Windows XP SP2 or Windows Vista.
  • Outlook is configured in one of the following ways:

    • Uses the default security settings
    • Uses group policy-defined security settings that are set to warn when no antivirus software is detected
    • Uses group policy-defined security settings that do not have programmatic access policy applied
Additionally, Outlook will suppress the prompts when it has been configured to Never warn me about suspicious activity (not recommended) through the Trust Center dialog box ..."

This is huge! (For me and other out of process Outlook developers at least).

Working around Outlook security eats up way too much development time... This feature alone will drive me to push for Outlook 2007.

No comments: